{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-14T03:32:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1178372"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/attachment.cgi?id=844938"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2021/01/12/12"}, {"name": "[oss-security] 20210113 Re: CVE-2020-28374: Linux SCSI target (LIO) unrestricted copy offload", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/01/13/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-iscsi/tcmu-runner/pull/644"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-3139", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1178372", "refsource": "MISC", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1178372"}, {"name": "https://bugzilla.suse.com/attachment.cgi?id=844938", "refsource": "MISC", "url": "https://bugzilla.suse.com/attachment.cgi?id=844938"}, {"name": "https://www.openwall.com/lists/oss-security/2021/01/12/12", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/01/12/12"}, {"name": "[oss-security] 20210113 Re: CVE-2020-28374: Linux SCSI target (LIO) unrestricted copy offload", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/01/13/5"}, {"name": "https://github.com/open-iscsi/tcmu-runner/pull/644", "refsource": "CONFIRM", "url": "https://github.com/open-iscsi/tcmu-runner/pull/644"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:51.388Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1178372"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.suse.com/attachment.cgi?id=844938"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2021/01/12/12"}, {"name": "[oss-security] 20210113 Re: CVE-2020-28374: Linux SCSI target (LIO) unrestricted copy offload", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/01/13/5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/open-iscsi/tcmu-runner/pull/644"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-3139", "datePublished": "2021-01-13T15:33:45", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2024-08-03T16:45:51.388Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tcmu-runner_project:tcmu-runner:*:*:*:*:*:*:*:*", "matchCriteriaId": "8926E8CD-ABE4-4BAA-9AD6-C92CCEE815E8", "versionEndIncluding": "1.5.2", "versionStartIncluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm."}, {"lang": "es", "value": "En Open-iSCSI tcmu-runner versiones 1.3.x, 1.4.x y versiones 1.5.x hasta 1.5.2, en la funci\u00f3n xcopy_locate_udev en el archivo tcmur_cmd_handler.c carece de una comprobaci\u00f3n de restricciones de la capa de transporte, permitiendo a atacantes remotos leer o escribir archivos por medio de un salto de directorio en una petici\u00f3n XCOPY. Por ejemplo, un ataque puede ocurrir en una red si el atacante presenta acceso a un iSCSI LUN. NOTA: en relaci\u00f3n con CVE-2020-28374, este es un error similar en un algoritmo diferente."}], "id": "CVE-2021-3139", "lastModified": "2024-11-21T06:20:58.610", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-13T16:15:14.617", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/13/5"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/attachment.cgi?id=844938"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1178372"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-iscsi/tcmu-runner/pull/644"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/01/12/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/13/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/attachment.cgi?id=844938"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1178372"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-iscsi/tcmu-runner/pull/644"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/01/12/12"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1518", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "ceph-2:12.2.12-139.el7cp", "product_name": "Red Hat Ceph Storage 3 - ELS", "release_date": "2021-05-06T00:00:00Z"}, {"advisory": "RHSA-2021:1518", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "ceph-ansible-0:3.2.56-1.el7cp", "product_name": "Red Hat Ceph Storage 3 - ELS", "release_date": "2021-05-06T00:00:00Z"}, {"advisory": "RHSA-2021:1518", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "cephmetrics-0:2.0.10-1.el7cp", "product_name": "Red Hat Ceph Storage 3 - ELS", "release_date": "2021-05-06T00:00:00Z"}, {"advisory": "RHSA-2021:1518", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "grafana-0:5.2.4-3.el7cp", "product_name": "Red Hat Ceph Storage 3 - ELS", "release_date": "2021-05-06T00:00:00Z"}, {"advisory": "RHSA-2021:1518", "cpe": "cpe:/a:redhat:ceph_storage:3::el7", "package": "tcmu-runner-0:1.4.0-3.el7cp", "product_name": "Red Hat Ceph Storage 3 - ELS", "release_date": "2021-05-06T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-2:14.2.11-147.el7cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-ansible-0:4.0.49.2-1.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "gperftools-0:2.6.3-3.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "tcmu-runner-0:1.5.2-3.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}], "bugzilla": {"description": "tcmu-runner: SCSI target (LIO) write to any block on ILO backstore", "id": "1916045", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916045"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.", "A flaw was found in the Linux kernel\u2019s implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called."], "mitigation": {"lang": "en:us", "value": "As this feature can be guarded behind an authentication and firewall rules, limit access with firewall rules and enforcing strong password hygiene.  This may not be a suitable option if many uncontrolled hosts mount the networked iSCSI device."}, "name": "CVE-2021-3139", "package_state": [{"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Will not fix", "package_name": "tcmu-runner", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "tcmu-runner", "product_name": "Red Hat Storage 3"}], "public_date": "2021-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3139\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3139"], "statement": "This issue did not affect the version of tcmu-runner as shipped with Red Hat Gluster Storage 3, as it did not include support for Extended Copy (XCOPY). \nRed Hat Ceph Storage 3 and 4 are affected, as they ship an affected version of tcmu-runner with XCOPY.\nRed Hat OpenShift Container Storage (RHOCS) 4 shipped tcmu-runner package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of tcmu-runner package is no longer used and supported with the release of RHOCS 4.3.", "threat_severity": "Important"}